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On behalf of Verizon, | recently submitted a proposal to the ATIS IPTV Interoperability Forum, DRM Task 
Group. A copy of this proposal is attached for reference. In accordance with the ATIS Operating 
Procedure, section 10.4, the users attention is called to: 


10.4.2.3 Notice 


NOTE - The user's attention is called to the possibility that compliance with this standard may require use 
of an invention covered by patent rights. 

By publication of this standard, no position is taken with respect to the validity of this claim or of any 
patent rights in connection therewith. The patent holder has, however, filed a statement of willingness to 
grant a license under these rights on reasonable and nondiscriminatory terms and conditions to 
applicants desiring to obtain such a license. Details may be obtained from the standards developer. 





Muxiang Zhang 
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Intellectual Property Notice 


NOTICE: As an American National Standards Institute (ANSI) accredited standard development organization ATIS follows 
the patent policy developed by ANSI. ATIS strongly encourages the early disclosure of a patent that might be referenced in 
an ATIS standard or other deliverable. The party making the disclosure should identify: 
e The patented invention; and 
e An explanation regarding the relevancy of the patented invention to the work under development. 
If use of a patented invention is required for compliance with the standard, then ATIS would need to receive from the 
identified party or patent holder either assurance that: 
è A license will be made available without compensation to the applicants desiring to utilize the license for the purpose of 
implementing the standard; or 
A license will be made available to applicants under reasonable terms and conditions that are demonstrably free of any 
unfair discrimination. 


committees. In addition, neither ATIS nor the IIF shall be responsible for interpreting or making any determination 
concerning the validity, enforceability or scope of any patented invention referenced in or that may be relevant to any 
standard, guideline or other ATIS deliverable 


You may voluntarily provide the following information at the time that the Contribution is made or as soon as 
practicable: 


Intellectual Property: 
Will License on Reasonable And Non Discriminatory (RAND) terms 


L Will Not License 
L] Not Applicable (No IPR Declared) 


Relevance of the IPR: 
Alt or part of the contribution may be included in a patent application. 
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1 Introduction 


This document updates the proposed IPTV Common Scrambling Algorithm as described in IIF- 
DRM-2006-430. The goal of the update is to make the proposed IPTV Common Scrambling 
Algorithm purely based on AES CBC mode as specified in FIPS PUB 81 and NIST Special 
Publication 800-38A, while keeping the updated IPTV Common Scrambling Algorithm as much 
compatible as possible with scrambling algorithms specified by other standards bodies, e.g., 
ANSI/SCTE-52 and ATSC. As in IIF-DRM-2006-430, the updated IPTV Common Scrambling 
Algorithm uses AES under Cipher Block Chaining (CBC) mode to scramble MPEG-2 transport 
stream packets. Only the payload of MPEG-2 transport stream packet is scrambled, the header 
and the optional adaptation field are not scrambled. 


Note that the updated IPTV Common Scrambling Algorithm can also be used to scramble 
MPEG-4 transport stream packets. 


2 Scrambling of MPEG-2 Transport Stream Packet 


Fig. 1 illustrates the scrambling of a MPEG-2 transport stream packet. In Fig. 1, Ex denotes the 
AES encryption algorithm under the control of a scrambling key, K, IV denotes the initialization 
vector, and ® denotes bit-wise exclusive-OR operation. Both the scrambling key K and the 
Initialization Vector IV consist of 16 bytes or 128 bits. 


To scramble a MPEG-2 transport stream packet, the payload is divided into blocks of 16 bytes. 
The last block may consist of less than 16 bytes. As shown in Fig. 1, let P, Po, ... , Pm, m21, 
denote the plaintext blocks of the payload of a MPEG-2 transpost stream packet, where P; is the 
moste significant block and Pp is the least significant block. Correspondingly, let C1, Co, ... , Ca 
denote the ciphertext blocks. Also, let t denote the lenth of of Pn, i.e., the number of bits that Pn 
consists of. Base on the value of t, the scrambling procedure can be described mathematically as 
follows. 


If t is equal to 128 bits, then 
Ci= Ex (Ci. © Pj), for 1< i < m, Co=IV. 
If t is less than 128 bits and m is greater than 1, then 


C,= Ex (Ci ® P), for 1S i <m, Co= IV, 
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and 
Cn = [Ex (Cm.18 H)], © Pu, 


Where [x] , denotes the least significant t bits of x, and H is a constant equal to the following 
hexadecimal number: 


H= 0x7884fe536c3588b73c2f604e48 1 3fbel 


If z is less than 128 bits and m is equal to 1, then C; = [Ex (IV®H)], ® P. This describes the 
scrambling of a solitary termination block, which will be discussed further Section 5. 


Header and Adaptation Payload 
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H = 0x7884fe536c3588b7 ac2f604048 13tbe'l 





Fig. 1. Scrambling of MPEG-2 Transport Stream Packet 


3 Generation of Initialization Vector (IV) 


Fig. 2 illustrates the generation of the Initialization Vector, IV. Note that IV can be set either to a 
constant or to a programmable random number. In Fig. 2, fiv is a one-bit flag controlling the 
generation of IV. When fy is equal to zero, IV is set to be all zero. When frv is equal to 1, the 
AES encryption algorithm Ex first encrypts zero under the control of the scrambling key K. Then, 
the AES encryption algorithm encrypts zero again under the control of a new key, E,(0), and the 
resultant ciphertext is assigned to IV. By default, fiv is set to 1. Optionally, a network operator 
may chose to use its own mechanism to set fiy to different values, e.g., setting fiv to 0 during the 
bootstrapping of receiving devices. 


I}—--DRM-2006-xxx October 3, 2006 


All Zero All Zero 





Fig. 2. Generation of Initialization Vector (IV) 
å Descrambling of MPEG-2 Transport Stream Packet 


Fig. 3 illustrates the descrambling procedure of an MPEG-2 transport stream packet. In Fig. 3, Dy 
denotes the AES decryption algorithm under the control of a descrambling key, K, which is equal 
to the scrambling key, and IV denotes the initialization vector. Both the descrambling key, K, and 
the Initialization Vector, IV, consist of 16 bytes or128 bits. 


IIF-DRM-2006-xxx October 3, 2006 


H = Ox? 864fei36c3588b73c2té04e48 13tbe 
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Fig. 3. Descrambling of MPEG-2 Transport Stream Packet 


To descramble a MPEG-2 transport stream packet, the payload of the MPEG-2 transport 
stream packet is divided into blocks of 16 bytes. The last block may consist of less than 
16 bytes. As shown in Fig. 3, let Ci, C2, ..., Cm, m21, denote the ciphertext blocks and let 
P,, Ps, ... , Pm, denote the corresponding plaintext blocks. Also, let t denote the number of 
bits that C,, consists of. Base on the value of t, the descrambling procedure can be described 
mathematically as follows. 


If t is equal to 128 bits, then 
P;= Dg (C) ® Cy, for 1< i < m, Co=IV. 
If t is less than 128 bits and m is greater than 1, then 
P; = Dx (C;) ® Ci, for 1< i <m, Co= IV, 
and 
Pan = [Ex (Cn-1® H)], ® Cn, 


Where [x], denotes the least significant t bits of x, and H is a constant equal to the following 
hexadecimal number: 


H= 0x7884fe536c3588b73c2£604e4813fbel 
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If t is less than 16 bytes (or 128 bits) and m is equal to 1, then P; = [Ex (IV®H)], ® C;. This 
describes the descrambling of a solitary termination block, which will be discussed further in 


Section 5. 
5 Processing of Solitary Termination Block 


Due to the varying length of the optional adaptation field, an MPEG-2 transport stream packet 
may contain a very small payload of less than 16 bytes. In such a scenario, the payload would be 
the first and last the block, which is called a solitary termination block. Fig. 4 describes the 
scrambling of a solitary termination block, denoted by P). Let t denote the number of bits that P; 
consists of. Then the ciphertext block C; is computed by taking the bit-wise exclusive-OR of P; 
and the least significant t bits of Ex(IV® H). 


Header and Payload 
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Fig. 4. Scrambling of Solitary Termination Block 


The descrambling of a solitary termination block is the same as the scrambling. Fig. 5 describes 
the descrambling of a solitary termination block, denoted by C4. Let t denote the number of bites 
that C; consists of. The plaintext block P; is computed by taking the bit-wise exclusive-OR of C; 
and the least significant t bits of EkK(IV® H). 
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H = Ox? 884feS36c3588b7 3cZi604e48 13fbe 1 H P4 
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Fig. 5. Descrambling of Solitary Termination Block 


